Posts

The latest identity theft statistics released by the Identity Theft Resource Center documented 662 data breaches* in the United States in 2010. The message couldn’t be more clear:

Corporations are not yet taking identity theft and data breach seriously enough to properly train their employees, executives, and board on the BOTTOM-LINE DESTRUCTION caused by data breach.

Sure, at this point, many organizations pay lip service to data crimes. They have a privacy policy and their marketing materials state that they do everything in their power to protect your private information. Everything, that is, unless it costs them money to do so. Many corporations tend to hide behind the excuse that in these lean times, they can’t afford to take any additional security steps. But they must understand the disproportionate costs of recovering from theft rather than preventing it. In the simplest of terms, the ROI on data theft prevention training can easily be a thousand-fold. Each record lost, according to the Ponemon Institute, costs, on average, $204 to recover. Lose 1000 records (considered a very small breach), and you are suddenly out $204,000! According to the same study, the average cost for a business to recover from a data breach is $6.75 Million. The average cost to implement identity theft, social engineering and data breach training? In most cases, less than $50,000.

The causes are generally simple: perhaps your security software and firewalls need updating; employees haven’t been properly trained to destroy sensitive documents they no longer need; executives are surfing on unprotected wireless in airports and hotels; sales teams are gearing up social networking strategies that accidentally release confidential or proprietary information. Whatever the cause, companies and business owners must to step up in 2011.

3 Steps to Step Up in 2011 and Eliminate Data Breach

Aggressive Education. One of the costliest data security mistakes I see companies make is attempting to train employees from the perspective of the company. This ignores a crucial reality: All privacy is personal. In other words, no one in your organization will care about data security until they understand what it has to do with them.Strategy: Give your people the tools to protect themselves personally from identity theft. In addition to showing them that you care (a good employee retention strategy), you are developing a privacy language that can be applied to business. Once they understand opting out, encryption and identity monitoring from a personal standpoint, it’s a short leap to apply that to your customer databases and intellectual property.

Start with the Humans. The root cause of most data loss is not technology; it’s a human being who makes a costly miscalculation out of fear, obligation, confusion, greed or sense of urgency. Social engineering is the craft of extracting information out of you or your staff by pushing buttons that elicit automatic responses.Strategy: Immunize your workforce against social engineering and poor decision-making. Fraud training teaches your people how to handle requests for login credentials, passwords, employee and customer data, unauthorized building access and an office full of information whose disappearance will land you on the front page of the newspaper. The latest frontiers that thieves are exploiting are your employee’s social networks, especially Facebook and LinkedIn. It is imperative that you have a well-thought-out, clearly communicated social networking policy that minimizes the risks of data leakage, reputation damage and trust manipulation.

Security Audit. Once you have accounted for human weakness and error (above), focus on the technological sources of data theft: the weakly encrypted wireless router in your home or office, the unprotected wireless connection you use to access the Internet in an airport, hotel or café, poor passwords, lack of user-level access, failure to properly implement a firewall, security software or encryption, stolen laptops, smart phones and thumb drives.Strategy: Hire an outside firm to audit your security. Your internal staff will NEVER tell you what they are failing to protect out of ignorance or lack of budget. I don’t do security audits myself, as I am on the road speaking most of the time, but I’m happy to suggest some providers if you are interested.

I say this with no intention to cause undo fear: if you don’t take steps to prevent identity theft and data breach inside of your organization, you will be next. Maybe not today, but soon. Fear is only meant for those who choose to do nothing about this crime. I, unfortunately, used to be one of these people, as you will learn from the background story on how I started writing about identity theft and eventually became an identity theft speaker.

*What is a Breach?

The ITRC defines a breach as any event that potentially puts a person’s name, Social Security number, drivers license number, medical record or financial record (credit or debit card) potentially at risk either in electronic or paper format.

This study included all types of breach, and although we have become a very digital society, paper breaches accounted for almost 20% of all breaches. Malware and computer attacks were only 17.1 % of stolen information.